Today while reviewing a Committee Draft update of ISO/IEC 27003:2017, I tripped over a terminological issue in the midst of a complex yet critical section of the standard concerning ISO/IEC 27001 clause 6.1 'Actions to address risks and opportunities'.

Clause 6.1 is a major cause of confusion among organisations implementing 27001, among certification auditors assessing conformity with the standard and, it seems, among the committee responsible for these standards. In short, it's a right muddle, hence the importance of offering clear explanation and pragmatic guidance in 27003.

We're shooting some way wide of that goal at present, most notably in this critical section.

I'd like to emphasise the terminological or linguistic issue concerns the phrase 'risk treatment'. Specifically, four possible options for treating a risk are laid out in the 27003 CD:

1. "Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk or by removing the risk source (for example stop using certain technologies)."

   'The activity that gives rise to the risk' is quite vague and may confuse readers who don't understand 'give rise to' or 'activity'. 'Not to start or continue' is presumably a condensed form of 'not to start or not to continue', a small point but it may also be confusing for those who don't notice or appreciate the second implied negation - if indeed that is the intended meaning. I'm not entirely sure.

   Finally, 'removing the risk source' begs questions about the 'sources' of risk. The example suggests that technology is a risk source, but other than that there are no clues here about the nature or meaning of risk sources.

2. "Modifying the risk by changing the likelihood (for example reducing vulnerabilities) or the consequences (for example have a backup) or both or;" This option draws on the definition of risk treatment - and there is more to say on that below. It also has a superfluous ' or' at the end of the sentence.
   

3. "Sharing the risk with other parties by insurance, subcontracting or risk-financing; and" Those are definitely not the only forms of risk sharing, so should be identified as examples, perhaps being introduced by "such as". Risks are also shared with suppliers, partners, customers, owners and society, for example through published policies and disclaimers, contractual clauses, or implicitly. Another small point, maybe, but to me it's also a missed opportunity to explain or expand on the requirement from 27001 and inform/educate readers.

4. "Retaining the risk, which means that although the risk cannot be accepted, no other risk treatment is possible or feasible at the present time. If this treatment option is selected, the risk should be monitored to avoid unforeseen or uncontrolled increase in risk level." This really poked me in the beady eye. For starters, the first couple of clauses infer a particular distinction between 'risk acceptance' and 'risk retention', whereas those terms are normally equivalent and are often used interchangeably in practice. That's potentially an interesting linguistic point not explained in the CD yet worth considering separately (not now!). Or it could just be another example of imprecise language.
   

   Secondly, the final clause of the first sentence extends, interprets or modifies the literal wording of this clause in 27001. 27001 does not specify or require the sequence or rationale implied here: risks can be retained or accepted even if 'other treatments are possible or feasible at this time': it is management's perogative to determine what - if anything - to do about risks. They are at liberty to retain or accept or do nothing about risks, or even to take on additional risks, typically in order to pursue valuable business opportunities. This is a fundamental point about a 27001 ISMS: the generic standard does not insist that users treat their risks in particular ways, leaving it to management's discretion given their unique organisational context. The final sentence clearly indicates that risk monitoring is only appropriate or necessary if risks are retained - which is plain wrong. Risks can and do change all the time, despite risk management activities meant to bring them at least partially under control. Leaving avoided, modified or shared risks unmonitored would, itself, be risky.

Digging deeper, I wondered where these four possible risk treatment options arose, since they are not specified in 27001 ... and here it gets perplexing.

A search of the ISO Online Browsing Platform for terms and definitions of "risk treatment" (in quotes) reveals 31 ISO and ISO/IEC standards defining the phrase, most of which simply re-state the definition originally from withdrawn ISO Guide 73 or its replacement ISO 31073:2022, e.g. here is the ISO/IEC 27005:2022 definition:

According to my understanding and interpretation, "Note 1 to entry" contradicts the formal definition since several of the options do not literally involve 'modifying' the risk. Risk retention, for example, leaves the risk itself unchanged: the organisation simply decides to live with it.

Furthermore note 2 flatly contradicts note 1: is 'taking or increasing [information security] risk in order to pursue an opportunity' a permitted risk treatment option (as per note 1), or not (as per note 2)?

Oh oh.

Note 3 is dubious as well, for instance equating risk mitigation with 'risk treatments that deal with negative consequences'. No, since 'mitigation' is simply a fancy word for 'reduction', 'risk reduction' properly applies to some but not all of the risk treatment options listed in note 1.

Note 4 intrigues me. The first clause may be trying to warn us that there are risks associated with the process of risk treatment, although I'm not sure about that. There are indeed several risks here, such as the uncertain possibility of:

• Failing to identify and characterise risks accurately, or conversely identifying risks that are not genuine, substantial concerns, diverting attention and effort;

• Mistakes and invalid assumptions in the risk analysis, leading to inaccurate estimation of the likelihood or consequences, and inappropriate priorities;

• Inappropriate decisions on how to treat risks; and

• All manner of issues with the specification, design, resourcing, development, implementation, operation, management, assurance and efectiveness of chosen risk treatments.

If that was what it meant, the first clause is remarkably succinct, but I suspect I am reading much more into those 6 words than they were truly meant to convey.

The second clause basically restates the definition: 'risk treatment can ... modify existing risks', a superfluous statement ... suggesting that the note is primarily contrasting 'create new' against 'modify existing'. Without my elaboration on the first clause, note 4 seems lame.

Re the 'SOURCE' citation, if note 1 is new and the original notes 1 and 2 are now 2 and 3, that leaves the origin of note 4 unspecified. I believe it is, in fact, a new note added to this particular definition.

OK, enough already!

Cutting to the chase, here's a slightly condensed definition from my working copy of the Cybersecurity Hyperglossary:

It is succinct without those troublesome notes, instead directing readers seeking explanation to the hyperlinked definitions of method, control, identified and risk. The uncondensed original definition calls out four possible risk treatments i.e. mitigate, share, avoid or accept - and yes those are also hyperlinked to the corresponding entries.

Admittedly, 'deal with' is imprecise language that may not be entirely obvious, especially to non-fluent English readers, but any ordinary English dictionary should cover that.